Protecting Patient Privacy Beyond HIPAA

By: Emilie Branch, Content Manager, Swoop

While a landmark for patient privacy when ratified in 1996, the Health Insurance Portability and Accountability Act (HIPAA) falls short when using de-identified health information for targeted advertising, thus creating risks for health marketers. To fill in the gaps left by HIPAA, the Network Advertising Initiative (NAI) creates a modern day framework for the responsible use of health data in a digital-first world. 

HIPAA regulates how protected health information (PHI) is handled and generally prevents its disclosure without a patient’s consent. However, there are several key exceptions that override this, including sharing data with other health care operations, for the benefit of the public (as is the case with Covid vaccination status), in cases of abuse, for worker’s compensation, as requested by law enforcement or deemed essential for government functions, with organ donation and in certain research. As a subset of the Privacy Rule, the Security Rule protects the confidentiality of electronic health information (e-PHI) and although it’s designed for a fully digital system, encryption is not mandatory. Given the exceptions that define HIPAA, covered entities are essentially forced to use their best judgment and act ethically, which is ambiguous and could lead to a breach, even inadvertently.

Because of HIPAA’s extensiveness and its many covered entities, compliance is a moving target. Typical violations are attributed to inadequate training, inadvertent internal disclosures or third-party hacks. And with respect to DTC marketing efforts, there are several ways to breach HIPAA. For example, if a patient completes a contact form or survey on a health website and in any way indicates a diagnosis, it must be protected as PHI and now handling this data is subject to HIPAA. However, since HIPAA was not created exclusively for targeted advertising, certain ambiguities prevail. For instance, although HIPAA certification attests a data set is de-identified, it does not guarantee privacy within the segment itself. The most obvious example is if a condition-specific segment consists of a single person and that person receives an ad, it’s clear they have the disease. 

These scenarios are exactly why the Network Advertising Initiative (NAI) must be on the radar of every health marketer. Founded in 2000, the NAI is a self-regulating body that builds on HIPAA but goes further, providing specific guidance for health advertising. NAI’s Code of Conduct is regularly updated to reflect relevant technologies and developments; it was last updated in 2020 to address health data segments and sensitive conditions. 

NAI requirements are stringent and include an annual review by a member of the compliance team. Opt-in consent is required for the use of Personal and Device-enabled Identifier Information (PII/DII). Furthermore, all data collected, used and retained must be transparent. If it originated from an unqualified source, it won’t pass the audit. This purposeful system built on explicit patient permission assures privacy in all advertising environments and provides direct guidance on patient audiences for targeted marketing. 

Swoop, the first health data technology company to become a member of the NAI, has built over 3,000 privacy-safe patient segments for 42 of the top 50 pharmaceutical brands and 18 of the top 20 healthcare marketing agencies. In addition to NAI compliance, we are HIPAA accredited and embed our proprietary k-anonymity process — a scientific way to de-identify patients — into every custom audience we create. A segment of one is impossible with k-anonymity, which requires data sets of at least two people — 50% is the maximum allowable audience quality (AQ) — to keep identities confidential. Although AQ cannot surpass a 50% prevalence rate, our segments typically include more than 100 to 5,000 times the number of patients found in the general population. 

In the end, nearly every healthcare targeting data provider and DSP have embraced the self-regulatory guidelines of the NAI. This is driven by a belief that safeguarding patient privacy is not just a legal responsibility, but an ethical one as well. Knowing your advertising supply chain is critical for ensuring patient privacy and protecting your brand. So ask your providers if they are a member of the NAI. Anything less is a gamble.

 

About the Author

Emilie Branch 

Content Manager

Emilie has nearly a decade of experience in marketing, writing, research and strategy for the pharmaceutical industry. She has contributed to top pharmaceutical publications including American Pharmaceutical Review, European Pharmaceutical Review, Pharmaceutical Manufacturing, Manufacturing Chemist, Pharmaceutical Outsourcing, Specialty Chemicals, and Contract Pharma. Prior to joining Swoop/IPM.ai, Emilie served as Strategic Content Manager and Managing Editor for Pharma’s Almanac where she lent her voice to some of the industry’s top players including GSK, MilliporeSigma and ThermoFisher Scientific.